BGP Prevent Transit AS

thanks a lot :slight_smile:

Fantastic …it was never so easy to understand “transit AS” issue…many thanks Rene.

Hi Rene,

why should it be inbound and not outbound? Please help in understanding:

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO-EXPORT in
R1(config-router)#neighbor 192.168.13.3 route-map NO-EXPORT in

thanks

Hi Abhishek,

We want to make changes in our AS and we receive prefixes from the ISP routers. When we receive these prefixes, we set the no-export community. This means our AS won’t advertise them to another AS.

Using an outbound route-map in BGP is useful if you want to advertise something to another router or AS.

Rene

RT VS GRT

Hi Rene,

Can you please tell what is the diff. between routing table and global routing table in terms of NEXT HOP.
example :
I am an enterprise and i am peering with ISP thru GP. now i have to go to prefix 202.x.y.z (www.gmail.com)

So how my outbound traffic will go in above case ?

Now if get global routing table in my internet router - How the outbound traffic will go ?

Thanks in adv
Abhishek

Hi Abhishek,

By default, you have one routing table which is your global routing table. Once you start working with VRFs, that’s when you will have more than one routing table.

Take a look at this lesson to learn more about this:

VRF Lite

Rene

19 posts were merged into an existing topic: BGP Prevent Transit AS

Hey Rene,

Thanks for your great lessons and labs you post. I have a question regarding BGP when using 2 ISPs.

I have a muti-homes ISR with two ISPs both advertising a default route via BGP I have manipulated the weight attribute to prefer ISP1 over ISP2. My question is why when I learn the default route through ISP1 my ISR also advertises it to ISP2 becoming a transit AS, even though I didnt manually configure it under my BGP instance ?

Thanks in advance.

Hi @iniguezjuan,

By default, BGP will advertise prefixes that you have learned from one eBGP neighbor to another eBGP neighbor. That’s why you will have to configure your router to prevent this :slight_smile:

HI ’

R1--?   ( I want this in Tansit AS)
router bgp 1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 10.0.0.2 remote-as 2
 neighbor 20.0.0.2 remote-as 3


R2--  (ISP-1)
router bgp 2
 bgp log-neighbor-changes
 network 2.2.2.0 mask 255.255.255.0
 neighbor 10.0.0.1 remote-as 1


R3--(ISP 2)
router bgp 3
 bgp log-neighbor-changes
 network 3.3.3.0 mask 255.255.255.0
 neighbor 20.0.0.1 remote-as 1
 auto-summary

All loopback IP are reachable from customer router which is placed in Transit AS, however from ISP 1 loopback 2.2.2.2 am unable to ping ISP 2-loopback 3.3.3.3 please help

Hello Kaza

At first glance there doesn’t seem to be an issue with your configs. However, keep in mind that BGP is slow. It’s a good idea to use the clear ip bgp * command to speed things up.

Also, the config you are setting up is similar to that in the lesson. Try duplicating the lesson first and see that that works. You can then adjust your IP addresses accordingly to match the lab you want. Let us know of your results…

I hope this has been helpful!

Laz

Hello Laz, I was asking myself why can’t we use route-map with AS-PATH access-list instead of using filter-list in the first example?

ip as-path access-list 1 permit ^$
!
route-map LAZ permit 10
     match as-path 1
exit
!
router bgp 1
     neighbor <ip> route-map LAZ out
exit

Regards.

Hello sales2161

Hmm, that’s an interesting solution that actually looks correct. I don’t see why this wouldn’t work. Can you lab it up and share the results? We can share it with Rene and see what he thinks…

Laz

1 Like

How would I be able to filter out R3’s loopback address on R2 using a as-path access-list?

Here’s what I did:

r2
ip as-path access-list 1
   deny 3$
router bgp 2
   neighbor 192.168.12.1 filter-list 1 in

The above filtered out both R1’s & R3’s loopbacks. I assume it was due to an implicit deny. I then tried creating a route-map calling the as-path access-list 1 along with a second sequence number permitting all. This filtered nothing. Any thoughts?

Hello Bruce

First of all, I’m assuming your R2 is the R1 in the lesson, and R1 and R3 are ISP2 and ISP2 respectively.

The neighbor 192.168.12.1 filter-list 1 in command should only filter BGP routes that are being received from the neighbor on which they were configured, namely ISP1 (192.168.12.1). This command should not filter out the routes received from ISP2, so something else is taking place in your topology.

As for the deny 3$ statement, this would deny any AS that ends in 3, that is the AS of ISP2.

If you want to deny this you would have to apply it as neighbor 192.168.13.1 filter-list 1 in so that you can filter the advertisements coming from ISP2. I also suggest you use the ^3$ argument in order to match exactly that AS.

Try this out and let us know…

I hope this has been helpful!

Laz

Hello,

A very stupid question :smiley:

But if any providers creates filters to prevent becoming a transit AS, what would happen on the Internet?
I think an ISP wants to do BGP filtering to save its routers from overload, but what should happen if all ISPs do the same?

The Internet would become inconsistent, right?

Thanks

Hello Giovanni

You are correct, that if a provider does not allow its own network to become a transit network, then this can potentially cause problems to routing on the Internet.

Remember that the Internet has a hierarchical structure. Within its structure, we have Tier 1, Tier 2, and Tier three networks. The following diagram shows an example of how these interconnect:

image

Tier 1 networks must route all traffic that they receive, to any other connected network.
Tier 2 networks must route all traffic that they receive, to any other connected network, except from one Tier 1 network to another Tier 1 network.
Tier 3 networks must route all traffic that they receive to any other connected network, except from one Tier 2 or 1 network to another Tier 2 or 1 network.

So, if you have a Tier 3 network (your ISP for example), and it is connected to two or more Tier 2 networks, then your ISP should not be responsible for routing traffic from one Tier 2 network to another Tier 2 network. This will overload the ISP’s network with traffic it was never designed to carry.

Now that is the architecture of the Internet. For this specific lesson, the concept focuses on the edge of an enterprise network. If you connect to two ISPs, and you are exchanging BGP routes, you may end up advertising BGP routes from one ISP into the other, thus becoming a transit AS. This will result in the enterprise network carrying public Internet traffic, a load that it was not designed for, and for which it is not responsible. This is where the feature described in this lesson comes in handy.

I hope this has been helpful! Stay healthy and safe!

Laz

2 Likes

Hi,
I’m not sure if I completly understand
can you explain how classificate a network as Tier 1 or Tier 2 or Tier 3.

Does IANA do something to decide who work as transit network?

Thanks

Hello Giovanni

There is no official designation of the three Tiers of networks, but they are generally well-accepted as entities with somewhat varying definitions. Their definitions have to do with how they peer with other networks, who they provide services to, and who has to pay who fees for access.

Generally speaking, Tier 1 networks (planet-wide backbones), are the highest level networks on the Internet. They are the backbone. These networks can exchange traffic (peer) with other Tier 1 networks in both directions without paying any fees.

Tier 2 networks (regional backbones) can connect with other Tier 2 networks (peering) and exchange traffic for free, but must pay fees for transit traffic exchanged with Tier 1 networks.

Tier 3 networks (your ISP for example) must pay for all of their transit and peering services to Tier 2 networks.

These are general guidelines, but this ecosystem has developed as a viable business plan for the infrastructure of the Internet. Even though I don’t usually link to Wikipedia, it does have a good article about this infrastructure, with some useful reference links. You can take a look at the link below:

No, there are no restrictions enforced by any entity as far as transient traffic goes. It is something that has simply developed as a financial model for the routing of traffic between networks, and how those are costed.

I hope this has been helpful! Stay healthy and safe!

Laz

Need to either update configs or change network command. Configs show interface lo0 in each router as a /32. Router bgp <AS#> network command is a /24.